OSGeo GDAL Heap-Based Buffer Overflow Vulnerability in HDF4-EOS Processing

A heap-based buffer overflow vulnerability has been identified in OSGeo GDAL versions through 3.13.0dev-4. The issue arises in the HDF4-EOS processing module, specifically within the 'SWnentries' function of 'frmts/hdf4/hdf-eos/SWapi.c'. The vulnerability is triggered by unbounded string concatenation into a caller-allocated buffer, based on incorrect assumptions about the formatting of metadata values. This flaw allows for local exploitation, potentially leading to arbitrary memory corruption.

Impact

Exploitation of this vulnerability causes a heap buffer overflow, which can lead to a segmentation fault (SIGSEGV) and a denial-of-service condition. Additionally, there is a potential for controlled out-of-bounds writes to the heap, which could be exploited to execute arbitrary code.

Reproduction

The vulnerability can be reproduced by using a crafted HDF-EOS swath file that contains unquoted 'DimensionName' values, which bypass HDF library validation. This file can be processed with the 'gdalmdiminfo' utility, part of the GDAL distribution, which will trigger the buffer overflow while the application is built with AddressSanitizer and UndefinedBehaviorSanitizer enabled.

Remediation

Users are advised to upgrade to GDAL version 3.12.4RC1, which addresses this vulnerability.